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METHOD AND SYSTEM FOR COMMUNICATIONS MONITORING 

The present invention relates to a method and system for 
communications monitoring and, in particular, to a method and system for use 
in the surveillance of communications traffic. 

With the increase in commercial transactions conducted via the internet, 
or via a telephone call, commercial organisations have increasingly turned to 
recording technology to assist with monitoring the performance of their 
customer service employees who, quite commonly, might be located within a 
call centre designed specifically to handle a large number and variety of 
telephone enquires and transactions. It is therefore now quite common for 
such transactions to be monitored and prior warnings are given providing a 
customer with a clear indication that the conversation may be recorded for 
training and quality-control purposes. The recording of such transactions can 
also prove to be of assistance in meeting regularity requirements and 
enhancing the possibilities for dispute resolution. 

The employment of such recording techniques has however remained 
very much in the commercial environment since the indiscriminate recording 
of, for example, telephone communications traffic in general, and including 
mere public communications traffic, carries with it far greater data protection 
and privacy issues. 

Although it is known for law enforcement agencies to obtain 
authorisation to place wire-taps in order to monitor, for example, telephone 
communications involving a likely criminal source, such authorisation is 
granted only once particular criteria concerning the level of suspicion of the 
criminal source are met: which, of course somewhat disadvantageously can 
often prove to be after incriminating communications traffic has already been 
sent. 
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The present invention seeks to overcome such disadvantages with 
regard to the time-lag that can currently exist when seeking to monitor 
communications traffic and with regard to the likely occurrence of potentially 
incriminating traffic and the initiation of a monitoring/surveillance program. 

According to a first aspect of the present invention, there is provided a 
method for use in the monitoring of communications traffic, and comprising the 
steps of recording the said traffic, storing the recorded traffic in an encrypted 
data format and such that this data can be decrypted only by means of 
decryption keys that exhibit restricted availability. 

The method is particularly advantageous since it can allow for the 
recordal and encryption of all communications traffic so that potentially 
incriminating traffic from a later-identified criminal source has already been 
recorded and the restricted availability of the decryption keys can then allow 
for a means for accessing the potentially incriminating communications 
evidence in a same controlled manner as known wire-taps are currently 
permitted. 

Preferably, the method can be implemented employing spare disk 
space, and/or CPU capacity within a currently existing telecommunications 
system. This has the particular advantage of allowing for implementation of 
the method at negligible additional cost. 

Also, the decryption keys arranged to be issued in a secure and 
authorised manner can be arranged to contain encrypted search conditions 
serving to restrict their scope of use. For example, a "where" clause can be 
embedded within the decryption key so as to allow access only to those 
encrypted data records that match the authorised search criteria. 

Further, the decryption key can contain discreet levels of authorisation 
for access to the encrypted data. 
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According to a further advantage, the decryption keys can be arranged 
to be used only once so as to advantageously prevent unauthorised 
subsequent searches through the recorded data. 

i 

Advantageously, the method includes the steps of logging all attempted 
accesses to the stored data. This can advantageously provide for secure and 
encrypted audit trail accessible only by means of specially granted keys 
available only to reviewing/auditing bodies rather than, for example, law 
enforcement agencies. 

According to a further feature, the method can provide for the inclusion 
of tamper detection reference data. 

Advantageously, the method is arranged to record all communications 
traffic and to likewise store all of the recorded traffic. 

In particular, the method is applicable to communications traffic through 
a node such as a telecommunications switch, router or gateway. 

Preferably, the method also includes the step of encrypting details 
concerning the communications traffic, which details are then also stored. 

It will therefore be appreciated that the present invention can 
advantageously provide for a method for use in the monitoring of 
communications traffic as noted above and including the step of restricting the 
availability of the decryption keys in accordance with, in particular, legislative 
requirements. 

According to another aspect of the present invention, there is provided 
a system for use in the monitoring of communications traffic and including 
means for recording the said traffic, means for storing the recorded traffic as 
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encrypted data such that the data can be decrypted only by means of 
decryption keys that exhibits restricted availability. 

The invention also preferably includes a system arranged to operate in 
accordance with the method steps outlined above. 

The invention is described further hereinafter by way of example only, 
with reference to the accompanying drawing which comprises a schematic 
block diagram of a telecommunications monitoring system according to an 
embodiment of the present invention. 

Turning now to the accompanying drawing, there is illustrated a 
telecommunications monitoring system 10 for monitoring communications 
traffic 12 travelling through, for example, a telecommunications switch 14. The 
system includes a recording device 16 that taps into the switch 14 so as to 
record all of the traffic passing there-through. The recorded traffic is then 
delivered to an encryption engine 18 which can employ any one or more of the 
appropriate currently available encryption schemes and in particular one or 
more of the 128-bit currently available encryption schemes. 

The encrypted data is then delivered to the storage means 20 in which it 
can be stored for any appropriate amount of time, if not indefinitely, in 
accordance with legislative requirements. The encrypted data within the 
storage means 20 can be accessed and decrypted by means of decryption 
keys 22. 

Typically, the available storage space can be recycled so as to provide 
a "first in first out" (FIFO) buffer of recordings which are retained for the 
maximum possible duration before being overwritten with more recent 
recordings. 
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However, an authorising system 24 is in place, which can be controlled 
by any appropriate authorising, or legislative body, such that the decryption 
keys 22 are only made available should specific criteria be met. 

As an example, the decryption keys can be issued in a manner similar 
to currently existing schemes for authorising wire-taps. 

The availability of so-called wire-tap warrants is currently closely 
controlled for example in the US by means of the Federal Communications 
Commission by means of the Communications Assistance for Law 
Enforcement Act 1994 whereas similar legislation has been introduced in the 
United Kingdom by means of the Regulation of Investigatory Powers Act 2000. 

Such systems can advantageously allow for separate levels of 
authorisation such as the so-called "pen and trace" warrant or the "wire-tap" 
warrant controlled in the US under the above-mentioned Communication 
Assistance for Law Enforcement Act 1994. 

Advantageously, the decryption keys can themselves contain encrypted 
search conditions so as to satisfactorily reduce, or eliminate, the chance of 
abuse and error. That is, if a warrant is issued to allow for the review of the 
calls only from one particular source, to one particular destination, or only calls 
within a particular time frame, appropriate clauses can be embedded within the 
decryption key so that only those encrypted records that match the quite 
specific criteria are made available. 

Thus, as will be appreciated, and with particular reference to the 
enclosed drawing, the present invention provides for a particular 
advantageous concept in communications monitoring in which there is a no 
danger of important communications evidence being lost due to delays in 
seeking appropriate surveillance authorisation since the obtaining of such 
authorisation is time-shifted to a point at which the recording is made, and the 
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granting of the authorisation relates merely to accessing a secure recording 
thereof. 

It should be appreciated that the present invention is not restricted to 
the details of the foregoing embodiments. For example, the concept can be 
applied to any appropriate form of communication, and indeed the 
communication of any appropriate data and whether comprising audio, 
modem, fax or data network packet data such that, for example, PC terminal 
activity can also be monitored for subsequent review if authorised. 

With regard to realisation of the concept it should be noted that 
telephone switch manufacturers could readily embed the capability of 
recording all calls in next generation switches for a few percent of the total cost 
of the system. 

All calls could be recorded using heavy-weight encryption so as to 
maintain public confidence that the same controls were in place to grant 
access to recordings that are used today to authorise wire-tapping, i.e. 
decryption keys are only issued as a warrant is granted. Initially it may only 
be viable to retain such recordings for a few days although increasingly 
inexpensive storage capabilities will assist in increasing such periods. 

This capability could be added to every cellular base station, every 
central office switch and every corporate switch. 

The ability to go back through all calls made after the event by identified 
terrorists can have a significant effect on follow-up operations. 

Whilst the concept of the wire-tapping of telephone lines is well known, 
the use of a PC can also be monitored. 
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For example, while programmers first introduced "log files" into specific 
applications as diagnostic aids to help them understand how someone broke 
their program, and from the concept of being able to note everything, that 
happened on a PC goes back to the venerable tools like "PC Anywhere" it was 
a fairly small step from there to keeping a log file of everything that happened 
on the screen during your session. 

More recently, this concept has been increasingly used in call centres to 
review maybe 1 % of calls to see how customer service reps are using the 
computer system during phone calls. 

Increasing amounts of business are conducted on mixed channels - 
with a caller on the line also looking at his browser where a staff member is 
highlighting terms and conditions on a competitor's web-site. Regulatory 
bodies have only just began to be aware of potential loop-holes in rules that 
insist on voice recording only. Where communication involves multiple 
channels it is vital that all channels are recorded together, archived together 
and replayable together. 



WO 2004/019585 



PCT/GB2003/003668 



8 

Claims 

1 . A method for use in the monitoring of communications traffic, 
comprising the step of recording the said traffic and storing the 
recorded traffic in an encrypted data format such that the data can 
be decrypted only by means of keys that exhibit restricted 
availability. 

2. A method as claimed in Claim 1 and arranged to employ a spare 
disk and/or CPU capacity within a telecommunications system. 

3. A method as claimed in Claim 1 or 2 and including the step of 
including encrypted search conditions within the decryption keys that 
are made selectively available. 

4. A method as claimed in Claim 1 , 2 or 3, and including the step of 
employing separate levels of authorisation for access to the stored 
data. 

5. A method as claimed in any one or more of Claims 1-4, and 
including the step of employing a decryption key that is useable only 
once. 

6. A method as claimed in any one or more of the preceding claims, 
and including the step of logging all accesses to the stored data to 
an encrypted secure audit trail. 

7. A method as claimed in any one or more of the preceding claims 
and including a tamper detection reference within the encrypted 
data. 
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8. A method as claimed in any one or more of the preceding claims, 
and including the step of monitoring all the available 
communications traffic. 

9. A method as claimed in Claim 8 and when the step of storing the 
recorded traffic comprises the step of recording all of the recorded 
traffic. 

10. A method as claimed in any one or more of the preceding claims, 
wherein the communications traffic to be recorded comprises traffic 
through a telecommunications switch, router or gateway. 

11. A method as claimed in any one or more of the preceding claims, 
and including the step of encrypting details relating to the 
communications traffic and storing the said encrypted details for 
subsequent access. 

12. A method as claimed in any one or more of the preceding claims 
and including the step of authorising use of the required decryption 
key in a restricted manner. 

13. A system for use in the monitoring of communications traffic, 
including means for recording the said traffic and means for storing 
the recorded traffic as encrypted data, such that the recorded data 
can be decrypted only by means of keys that exhibit restricted 
availability. 

14. A system as claimed in Claim 13 and arranged with means for 
executing the method steps of any one or more of Claims 2-12. 
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1 5. A method for use in the monitoring of telecommunications traffic 
substantially as hereinbefore described with reference to, and as 
illustrated in the accompanying drawing. 

16. A system for use in the monitoring of telecommunications traffic 
substantially as hereinbefore described with reference to, and as 
illustrated in the accompanying drawing. 
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